Hi there,
I’m having some troubles setting up OpenVPN (server mode) on top of an existing VyOS cluster.
I have 2 hosts (let’s say 10.0.0.1 and 10.0.0.2) that share a virtual ip (let’s say 10.0.0.100) using VyOS clustering features. Traffic from the internet is coming through that virtual ip.
The issue I’m experiencing is that whenever a client connects, the first UDP packet comes to the active cluster member on the virtual IP address, but it then replies with its own eth0 address. This way, the client never receives an answer and TLS negotiation fails.
I’ve been able to diagnose this behavior using tcpdump
:
19:18:41.025890 IP (tos 0x0, ttl 50, id 27901, offset 0, flags [none], proto UDP (17), length 42)
55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:41.026708 IP (tos 0x0, ttl 64, id 41449, offset 0, flags [DF], proto UDP (17), length 54)
10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 26
19:18:42.120234 IP (tos 0x0, ttl 50, id 41636, offset 0, flags [none], proto UDP (17), length 42)
55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:42.120420 IP (tos 0x0, ttl 64, id 41667, offset 0, flags [DF], proto UDP (17), length 50)
10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 22
19:18:43.161388 IP (tos 0x0, ttl 50, id 47711, offset 0, flags [none], proto UDP (17), length 42)
55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:43.161522 IP (tos 0x0, ttl 64, id 41702, offset 0, flags [DF], proto UDP (17), length 54)
10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 26
19:18:44.263282 IP (tos 0x0, ttl 50, id 45376, offset 0, flags [none], proto UDP (17), length 42)
55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:44.263414 IP (tos 0x0, ttl 64, id 41725, offset 0, flags [DF], proto UDP (17), length 50)
10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 22
19:18:45.264311 IP (tos 0x0, ttl 50, id 62267, offset 0, flags [none], proto UDP (17), length 42)
55.55.55.55.54742 > 10.0.0.100.1194: UDP, length 14
19:18:45.264461 IP (tos 0x0, ttl 64, id 41768, offset 0, flags [DF], proto UDP (17), length 50)
10.0.0.10.1194 > 55.55.55.55.54742: UDP, length 22
(I only replaced my client ip with 55.55.55.55
).
My current OpenVPN interface config is as follows:
openvpn vtun0 {
description "OpenVPN TEST"
local-port 1194
mode server
persistent-tunnel
protocol udp
server {
name-server 10.0.0.30
name-server 10.0.0.31
push-route 10.0.0.0/16
subnet 10.99.0.0/24
topology subnet
}
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/server.crt
crl-file /config/auth/crl.pem
dh-file /config/auth/dh.pem
key-file /config/auth/server.key
}
}
Am I missing something?
Thanks in advance!